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U.S. Patent Application Serial No. 09/886,146 
AMENDMENTS TO THE CLAIMS : 

This listing of claims will replace all prior versions, and listing, of claims in the application: 
Listing of Claims : 

1-35. (Canceled) 

36-37. (Withdrawn) 

38-39. (Canceled) 

40. (Currently Amended) A method for constraining delegation of service requests 
made by a first server on behalf of a client, the method comprising: 

receiving, at the first server, an authentication mechanism for the client, wherein the 
authentication mechanism is generated using a first authentication method; 

authenticating, by the first server, the client based upon the authentication mechanism, 
wherein such authentication is performed according to the first authentication method; 

identifying, by the first server, a target service to which access is sought on behalf of the 
client, wherein the target service is resident on a target server; 

sendin g, bv the first server, a request according to a second authentication method to a 
trusted third-party to issue a first service ticket to the first server for the client, wherein the first 
service ticket is adapted to b e used with [[a]] the second authentication method, and wherein the 
second authentication method is different from the first authentication method; 

receiving, at the first server, the first service ticket to the first server, wherein the first 
service ticket to the first server specifies that the first service ticket is delegable through the 
presence of a forwardable flag in the first service ticket; 

requesting, by the first server, a target service ticket from the trusted third-party 
configur e d for us e by th e first serv e r to access the target service on behalf of the client, wherein 
the first server provides the trusted third-party with the first service ticket when requesting the 
target service ticket, and wherein the target service ticket is adapted to b e used with the second 
authentication method; and 

sending the target service ticket to the target server. 
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41-42. (Canceled) 

43. (Previously Presented) The method as recited in Claim 40, wherein the 
target service ticket is configured for use by the server and the target service to which access is 
sought. 

44-45. (Canceled) 

46. (Previously Presented) The method as recited in Claim 40, wherein the first 
server is a front-end server, and wherein the target server is a back-end server that is coupled to 
the first server. 

47. (Original) The method as recited in Claim 40, wherein the first authentication 
method is selected from a group of authentication methods comprising Passport, SSL, NTLM, 
and Digest. 

48. (Original) The method as recited in Claim 40, wherein the second 
authentication method includes a Kerberos authentication protocol. 

49. (Currently Amended) A computer-readable storage medium on a first server 
storing computer-executable instructions for performing a method of constraining delegation of 
service requests made by the first server on behalf of a client, the method comprising: 

receiving, at the first server, an authentication mechanism for the client, wherein the 
authentication mechanism is generated using a first authentication method; 

authenticating, bv the first server, the client based upon the authentication mechanism, 
wherein such authentication is performed according to the first authentication method; 

identifying, by the first server, a target service to which access is sought by the client, 
wherein the target service is resident on a target server; 

sendin g, bv the first server, a request according to a second authentication method to a 
trusted third-party to issue a first service ticket to the first server for the client, wherein the first 
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service ticket is adapt e d to - bo used with [[a]] the second authentication method, and wherein the 
second authentication method is different from the first authentication method; 

receiving, at the first server, the first service ticket to the first server, wherein the first 
service ticket to the first server specifies that the first service ticket is delegable through the 
presence of a forwardable flag in the first service ticket; 

requesting, by the first server, a target service ticket from the trusted third-party 
configur e d for use by th e fist s e rver to access the target service on behalf of the client, wherein 
the first server provides the trusted third-party with the first service ticket when requesting the 
target service ticket, and wherein the target service ticket is adapted to b e uged with the second 
authentication method; and 

sending the target service ticket to the target server, 

50. (Previously Presented) The computer-readable medium as recited in Claim 
49, wherein the trusted third-party includes a key distribution center (KDC). 

51. (Canceled). 

52. (Previously Presented) The computer-readable medium as recited in Claim 
49, wherein the target service ticket is configured for use by the server and the target service. 

53. (Previously Presented) The computer-readable medium as recited in Claim 
49, further comprising authenticating the server to the trusted third-party, wherein a credential 
authenticating the server to the trusted third-party includes a ticket granting ticket associated 
with the server. 

54. (Canceled). 

55. (Previously Presented) The computer-readable medium as recited in Claim 
49, wherein the first server is a front-end server, and wherein the target server is a back-end 
server that is coupled to the front-end server. 
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56. (Original) The computer-readable medium as recited in Claim 49, wherein 
the first authentication method is selected from a group of authentication methods comprising 
Passport, SSL, NTLM, and Digest. 

57. (Original) The computer-readable medium as recited in Claim 49, wherein 
the second authentication method includes a Kerberos authentication protocol. 

58-61. (Canceled) 

62. (Currently Amended) A method, performed by a trusted third-party, of 
constraining delegation of service requests made by a first server on behalf of a client, the 
method comprising: 

receiving, at the trusted-third party, a first request from the first server for a first service 
ticket, wherein the first server provides evidence that the client has been authenticated to the first 
server using a first authentication method, and wherein the first service ticket is a service ticket 
granting the client access to services on the first server; 

sending the first service ticket to the first server, wherein the first service ticket is adapt e d 
te-be used with a second authentication method, and wherein the second authentication method is 
different from the first authentication method; 

receiving a second request from the first server to access a target server, wherein the first 
server is requesting to access the target server on behalf of the client, and wherein the second 
request comprises the first service ticket; 

determining if the client has authorized delegation to the first server to request the access 
to the target service on the behalf of the client by checking the first service ticket for the presence 
of a forwardable flag; and 

if the forwardable flag is present in the first service ticket, generating a target service 
ticket and sending the target service ticket to the first server; 

if the forwardable flag is not present, denying the second request. 

63 . (Previously Presented) The method of Claim 62, wherein the first 
authentication method is selected from a group of authentication methods comprising Passport, 
SSL, NTLM, and Digest. 
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64. (Previously Presented) The method of claim 62, wherein the second 
authentication method includes a Kerberos authentication protocol. 
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